Code Red won't actually attack again until August 20. But what have we already learned from it?
"Software engineering" is to engineering what fantasy baseball is to baseball not much like the real thing.
How else to explain how any commercial software written by professional "software engineers" still has a buffer-overflow bug? There's not a competent programmer on the face of the planet who can't write a buffer that won't overflow. That code shouldn't have made it through its first code review. Or past the programmer's Enter key.
There's no excuse for it. As Microsoft's chief software architect, Bill Gates should be personally ashamed.
Six out of seven systems administrators can't be bothered to use protection. By one estimate, 85% of vulnerable systems hadn't been patched by August 1, when Code Red started spreading again. Other estimates put the figure as low as half. Either way, the numbers are far too high.
Let's be fair: Microsoft issues hundreds of patches for Windows NT and 2000, and too many of them create blue screens on business-critical servers. That makes the cost of constant patching tough for systems administrators to sell to management. But by now, every CEO should have heard of Code Red. So if you can't sell all patches to management, this patch, at least, shouldn't be a tough sell at all.
The way to grab publicity is to hit below the Beltway. And what worm designer isn't looking for publicity? Attacking the White House website makes Code Red a hot mainstream news story. It gives the FBI an excuse to issue hourly bulletins and offers cable news channels the chance to speculate endlessly on whether the worm's next target will be Congress, the Pentagon or the cafeteria at the Smithsonian. That's the kind of coverage no Love Bug email virus will ever get.
Figures lie, liars figure, and hype machines work overtime. One analyst pronounced last week that Code Red had already cost $US1.2 billion in damage $US740 million of which was the cost of patching and protecting systems. Why does an analyst count routine security costs as part of Code Red's "economic damage"? Because $US1.2 billion sounds a lot more impressive than a specious estimate of $US450 million in lost productivity.
Meanwhile, just hours after Code Red reactivated itself, it was being declared a dud. Not by security experts they were still gathering data. But by media talking heads who apparently decided that, since the internet was still running, Code Red must have fizzled never mind that it was 19 days before the worm was slated to actually do anything.
The public no longer believes any of us. No wonder 84% of those responding in a CNN online poll last Wednesday said they were no longer worried about Code Red. After two weeks of hype-happy misinformation, they decided Code Red is just another bogus end-of-the-world threat. Of course, if the net is staggered by the worm on August 20, they'll blame the experts for not warning them. It's a colossal failure in managing expectations.
Worm-writing has come of age. This isn't script-kiddie stuff anymore. Code Red is sophisticated, and it's evolving to become sneakier in its distributed attacks. The nasties have caught up with our lackadaisical attitude about security. Now it's not just the worst of security dummies who can get hurt. Even clean, secure systems can suffer from an Internet clogged with denial-of-service packets. Either we kick security up a notch or we're cooked.
Politicians won't save us from ourselves. Forget about White House studies, congressional committees or FBI task forces they can't get IT shops off the dime to take security seriously. What may finally do it? Once insurance companies start writing "patch and inoculate, or we won't pay" clauses into their policies, maybe IT will get the necessary will and budget to start securing systems.
In the meantime, we'll still be waiting for Code Red.
Hayes, Computerworld US' senior news columnist, has covered IT for more than 20 years. Send email to Frank Hayes.